[FINISHED] a popular toy Lego Dimensions

iceman · 2015-10-02 12:27:06

[edit] change to finished, update status [/edit]
[edit] wrong subject name [/edit]
[edit] Credits [/edit]

Thanks to @EricBetts who gathered all information so far.

Toy token is:
------------------------
- Mifare NTAG 213
- NDEF data layout.
- size 144bytes.

Protection:
------------------------
PWD, PACK for reading tag data.
Tag data doesn't seem to be encrypted out of the box. Maybe when it used in the game. to be verified.

Dump:
------------------------
- You can sniff the PWD, then use the "hf mfu" commands to get proper dumps.

Status:
------------------------
- PWD algo has been found.
- DATA encryption has been found.

Last edited by iceman (2016-02-10 10:56:56)

asper · 2015-10-02 13:19:41

Great info! A new study!!

iceman · 2015-10-02 13:51:01

--- Tag Information ---------          
-------------------------------------------------------------          
      TYPE : NTAG 213 144bytes (NT2H1311G0DU)          
       UID : 04 62 b6 8a b4 42 80            
    UID[0] : 04, NXP Semiconductors Germany          
      BCC0 : 58, Ok          
      BCC1 : FC, Ok          
  Internal : 48, default          
      Lock : 1f 00  - 0000000000011111          
OneTimePad : e1 10 12 00  - 00000000000100100001000011100001
          
--- NDEF Message          
Capability Container: e1 10 12 00           
  E1 : NDEF Magic Number          
  10 : version 1.0 supported by tag          
  12 : Physical Memory Size: 152 bytes          
  12 : NDEF Memory Size: 144 bytes          
  00 : Read access granted without any security / Write access granted without any security          

--- Tag Signature          
IC signature public key value : 04494e1a386d3d3cfe3dc10e5de68a499b1c202db5b132393e89ed19fe5be8bc61          
    Elliptic curve parameters : secp128r1          
            Tag ECC Signature : bd 2a 3e 92 b1 61 c5 79 31 3d a2 98 32 9a e5 6e 37 90 26 f1 7a 1e 17 ab 7a 89 1e b8 f9 d9 48 79           

--- Tag Version          
       Raw bytes : 00 04 04 02 01 00 0f 03           
       Vendor ID : 04, NXP Semiconductors Germany          
    Product type : 04, NTAG          
 Product subtype : 02, 50pF          
   Major version : 01          
   Minor version : 00          
            Size : 0F, (256 <-> 128 bytes)          
   Protocol type : 03          

--- Tag Configuration          
  cfg0 [41/0x29] : 04 00 00 1e           
                    - page 30 and above need authentication          
                    - strong modulation mode disabled          
  cfg1 [42/0x2A] : c0 05 00 00           
                    - Unlimited password attempts          
                    - user configuration permanently locked          
                    - read and write access is protected with password          
                    - 05, Virtual Card Type Identifier is  default          
  PWD  [43/0x2B] : 00 00 00 00 - (cannot be read)          
  PACK [44/0x2C] : 00 00       - (cannot be read)          
  RFU  [44/0x2C] :       00 00 - (cannot be read)

bettse · 2015-10-03 00:43:34

I think I'm the user Iceman is referring to. Iceman, feel free to use my name anytime you're attributing anything I've done.

Asper: email me (bettse@fastmail.fm) and I can make sure to keep you up to date with the raw pipeline of research

sllabgib · 2015-10-22 02:18:20

I just joined the forum and have my Proxmark on the way - I'm very interested in this topic (more so since it hasn't been done yet?) - Bettse, can I email to stay in the pipeline on that research?

AntiCat · 2015-11-03 01:24:46

I'm a little late to for the party. Have you figured out the password algo by now? If not I can give it a shot.

iceman · 2015-11-03 09:30:05

As a matter of fact, no, the pwd algo gen is not known. Go ahead and give it a shot.

sllabgib · 2015-11-09 16:20:02

Just picked up the Game for the XB1 - My Proxmark shipping has been delayed - but they are now using DHL (So they say) and I'm living in a hotel for a month, so Ill have time at night and wanted to get involved in this - So hoping to help out some as soon as the Proxmark gets here.....

sllabgib · 2015-11-19 02:33:19

Iceman - I have some UIDs and Passwords - I didn't want to PM you without asking - Would you mind if I send them over in a PM? I'm not having any luck though reading a tag for any info or a dump using the PWD's I sniffed - I get :

iso14443a card select failed

Using : proxmark3> hf mfu info k <Found PWD>

Antenna looks good - With no Token : # HF antenna: 27.26 V @ 13.56 MHz and with token on the reader : # HF antenna: 23.86 V @ 13.56 MHz

Reader Information - Using the latest build from your fork - FW, Boot and Main Program.
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-18 19:45:00
os: /-suspect 2015-11-18 19:45:13
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 172262 bytes (33%). Free: 352026 bytes (67%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

I could get into IRC as well, if that makes this any easier....

sllabgib · 2015-11-19 14:58:47

Iceman - Figured out my token recognition issue - I cant rest the tag on the antenna, I need to hold it slightly above to get a read, so I have looked at 5 Tokens - (4) in the Starter kit and (1) from an Level expansion.

I have the UIDs, Auth Password, and PACK for each - The PACK is generic for all tokens read so far with a PACK of : AA 55

What else can I do to help out??

iceman · 2015-11-19 16:11:17

nice, if you can make a complete dump of all tokens it will help.

sllabgib · 2015-11-19 23:48:23

Already on it - I have a complete dump of the base (4) Figures and now all (3) from the Dr Who Level Pack. Two from the DrWho pack wont ID in the game yet since you need to be at a point in the game to "activate" them, so they are either K9 or the Tardis and I wont know until I play that level

The two new figured from the Dr Who pack also had PACK's of AA 55, so I think after 6 of them we can assume they all use that for the PACK. I do have more to scan and I will this weekend, so Ill have (6) more to add to it, if they help.

I can zip them up and put them on sendspace. Do you want any of the Capture information / etc included? (I have a file, its messy, but has the information in it). Ill add it to the ZIP just in case, you can delete it if you don't need it.

Ill do that after I catch up on my paying Job....... So in a few hours Ill have it up there.

sllabgib · 2015-11-19 23:55:46

Hey Iceman, can I send you the link in email for now rather than public until we know its of use?

blofeld · 2015-11-20 00:44:12

sllabgib wrote:

Two from the DrWho pack wont ID in the game yet since you need to be at a point in the game to "activate" them, so they are either K9 or the Tardis and I wont know until I play that level

Those two tags are vehicle/blank tags so can be set as either. After you have played through the Dr Who level you can use him to program any vehicle tags into tardis/k9 or use Batman to make a bat mobile.

sllabgib · 2015-11-20 02:24:46

Cool - Makes sense, first time I ever saw that in the game (But it was my first level pack). I also have the Simpsons and Back to the Future. I'm hoping we can get some others to contribute some of the team packs / fun packs and Jurassic World Level pack.

iceman · 2015-11-20 10:36:45

You can email me the link or publish it here. That decision is up to you.
My email is littered all over this forum.

And yes, PACK is fixed. The pwd gen is known. I have a lua script for it.

The data mapping process is been worked on by some talented ppl. There is where your dumps will come in handy.

sllabgib · 2015-11-20 14:01:44

Ah Awesome - Didn't know it was that far along

Heres a link for the files, hope they help out ... and Ill have 6 more this weekend to add.

https://www.sendspace.com/file/sbuh7t

sllabgib · 2015-11-20 14:05:38

Iceman - How do I sim the dumped token on the PM3? I was looking for the dumptoemul-mfu.lua in your fork, but I don't see it and I cant seem to find the lua for that anywhere?

iceman · 2015-11-20 14:24:44

Don't know where you are looking...
https://github.com/iceman1001/proxmark3 … ul-mfu.lua

sllabgib · 2015-11-20 15:27:25

Oh wow ... Yeah, I must have just missed it - I was up way too late when I was fighting the dump issue I had until I started to change the distance from the tag to the antenna - and once that worked, I had to dump the tags - So I was tired.... Thanks for the link and sorry for the dump question.

Are there magic cards that can do NTAG213's? Using the PM3 to sim sim is one way, but you often need more than one tag on the game at a time.

What I found interesting (at least for me since I'm new to NFC hacking) once the original figure is authenticated, I used a UL tag emulator (doesn't support UL-C) with the token dump taking out all the empty memory addresses with all 00's so it would fit on the EMU and it would work great, but of course that's only due to the system not authenticating the token since it was authenticated once before. Not sure if tats common or not?

iceman · 2015-11-20 15:45:03

the distance between reader and tag is a common fault to make.

I haven't heard of any magic NTAG213 tags. Use your google-foo and see if there is some out there.

I don't have the Lego setup, so I don't know too much about its behavior.

sllabgib · 2015-11-20 16:09:20

Yeah - that distance was a killer, Just annoying when I know it should work and I just try it figuring it my be noise / too strong and bam it read (That was 3 hours and frustration but all part of the experience....)

I appreciate the replies and education - Only been 2 days of playing and its a blast - needed something to toy with since I'm in a hotel suite for 2 months as we wait for house to get built. I need to get marshmellows fork, I think that has the hf mfu sim command in it from reading.

Did some goole searches Tuesday for some emus, seems theres one that has 1Meg of ram and allows for multiple tags in a single space - Main thing I find is they mention UL-C's but never NTAG's - So Ill have to reach out to them to verify. Too bad you cant make a classic 1k emulate NTAGs somehow... have those around for Skylander playing around - I want to toy with Infinity as well, but I think you guys have that all figured out already? I saw one post on it, but didn't see the full information anywhere in the forum...

belette · 2015-11-20 16:33:00

i have some ntag213 and 216 sticker (gift for order ntag 215 keyfob) but no game maybe demo in a store

iceman · 2015-11-20 17:31:59

@Marshmellows fork and seperate branch, or mine fork has the same UL stuff.

if you had a joop card maybe you could make it act like a ntag, but if there no market for it the chinese will not make it.
You can order a magic ntag if you want to pay up for it to be made. There is some other threads for magic desfire/15693 tags. Where the minimun order to create is 10000€ / 1000pieces or something like that. I didn't hear more about it. The was a magic 15 tag on taobao, i'm curios to buy it to see what it does and of course a magic iclass would be nice.

DI, well, yes, there is some ppl who has all info, same goes with Sky, amiboo etc etc. There enormously much done which isn't public since everyone doesn't want to get a cease and decease letter. If you get somewhere with your research may you get in touch with ppl.

sllabgib · 2015-11-20 19:06:57

belette - Would a regular 213 tag work since you cant change the UID on it?

Iceman - Good point on the market, and makes logical sense. The classic magic cards had a big market, I cant see the NTAG (depending on which variant) having a huge market right now (Not a legit one at any rate). For now Ill stick with the Lego to see what we can figure out - This one is more intriguing to me that sky and the others. Totally understand the down low on this, I'm not a fan of the vendors losing money either, so a huge public release of most of this stuff isn't on my list either (One reason I asked about emailing you the tags rather than a public post).

I thought I had your latest fork and the hf mfu eload wasn't in it, probably something on my side - Now that I had some sleep, I need to look over my environment some to make sure I'm setup correctly.

Awesome forum for knowledge, I thank you guys for all the answers / etc ... If theres a chance to keep me in the loop on anything the dumps helped with, I would appreciate it.

iceman · 2015-11-20 19:25:02

if you figure out wether the data is encrypted and be able to decrypt it.. then you should be able to clone ..
if you figure out some of the data mapping, like where the toytype is stored, you might be able to not only clone but try all different toytokens on a empty ntag card... many ifs but still...

iceman · 2015-11-20 19:41:58

btw, the link didnt work since sendspace seems to be down.

sllabgib · 2015-11-20 19:44:54

Yeah, a lot of if's, but just started out - so its exciting ....

Yeah, I saw that with sendspace - was trying to get the PM3 build - Glad you mentioned it, thought it was my side for a bit. Ill send it over in an email to you.

sllabgib · 2015-11-20 19:50:30

Sent

iceman · 2015-11-20 20:17:02

one thing I notice with yr logs, they don't pick up the PACK. Strange it should be there. Even if I know the PACK but still

sllabgib · 2015-11-20 21:32:23

Yeah, I only saw the pack when I ran it against the tokens directly - I don't remember seeing it in any of the snoops.

belette · 2015-11-20 21:48:34

no try, no toys or portal, and no keygen, already I would want to be able to make it with amiibo on ntag215

sllabgib · 2015-11-20 22:01:08

I can get some 231 tags cheap to play around with ... Might just to see what I can / cant do.... I have all regular M1 Classic, or UL-C tags.... Nothing for NTAG's at all.... So Ill have to grab a few and some 215's just to have them to toy with.

AntiCat · 2015-11-29 00:26:40

I took the liberty of comparing sllabgib's dumped with mine. The writable tags do not have much secrets. Vehicle/Gadget IDs as well as Enhancements are static. The data has no CRC/signature. I've attached a screenshot for illustration. Unfortunately, the dynamic lock bits are set correctly. Hence, there is no chance of repurposing a vehicle/gadget tag for a figure tag.

blofeld · 2015-11-30 23:44:00

have just mapped the 4 digit codes for most vehicles. Am missing a few which might not be in the game yet.

Codes start at ED03 through til FF 03 and 0004 to 65 04 . They are grouped in the 3 variants ee03 ef03 ff03 are the bat mobile and it's two rebuilds.

iceman · 2015-12-01 00:04:57

Well done!

Do you have a list or?

blofeld · 2015-12-01 00:06:15

6504 proton zapper
6404 ghost trap open
6304 ghost trap

6204 ecto sub
6104
6004 ecto 1

5f04 dalek
5e04
5d04

5c04 hover pod
5b04
5a04

5904 jokers chopper
5804
5704

5604 quin mobile
5504
5404

5304 banes drill driver
5204
5104

5004 aqua man ?
4f04
4e04

4d04 time train
4c04
4b04

4a04 ninjacopter
4904
4804

4704 invisible jet
4604
4504

4404 cloud cuckoo car
4304
4204

4104 scooby snack
4004
3f04

3e04
3d04
3c04 turret

3b04 companion cube
3a04
3904

3804 samurai mech
3704
3604

3504 blade bike
3404
3304

3204
3104
3004 lightning jet

2f04 boulder bomber
2e04
2d04

2c04 mystery machine
2b04
2a04

2904 arrow launcher
2804
2704

2604 lion rider
2504
2404

2304 clown bike
2204
2104

2004 gyrosphere
1f04
1e04

1d04 dinosaur
1c04
1b04

1a 04 tauntovison
19 04
18 04

17 04 homers sub
16 04
15 04

14 04 shelob
13 04
12 04

11 04 axe chariot
10 04
0f 04

0e 04 flying monkey
0d 04
0c 04

0b 04 emmetts
0a 04
09 04

08 04 tardis
07 04
06 04

05 04 k9
04 04
03 04

02 04
01 04
00 04 cyborg

ff 03 craggers sub
fe 03
fd 03

fc 03 chima eagle
fb 03
fa 03

f9 03 hoverboard
f8 03
f7 03

f6 03 delorean
f5 03
f4 03

f3 03 bennys spaceship
f2 03
f1 03

f0 03 sonic batray
ef 03
ee 03 bat mobile

ed03 bart simspons
ec03
eb03

ea03 bad cop
df03
de03

iceman · 2015-12-01 10:08:46

This list was compiled by another user. You'll find it useful.

ref: http://pastebin.com/mB5zrtxx

blofeld · 2015-12-01 11:15:42

That's a lot of typing lol

Have you got any hints for the uid to pwd algorithm? I wanted to try abs work it out for myself, but haven't found a single link yet.

iceman · 2015-12-01 11:31:46

as far as the pwd-gen-algo the status is not so good. lack of huge dataset of uid/pwd is missing to do proper analyse on.

asper · 2015-12-01 12:52:06

It probably uses a pseudorandom generation algo; collectiong UIDs from ...00000, 00001, 00002, 00003 and correspective password is the only way to try to find it.

DRRB · 2015-12-02 21:15:33

Hi,

I have made 16 dumps here with password for each tag.
What is the best way to share with you ? Something like sendspace ?

iceman · 2015-12-02 22:24:06

Sendspace is nice, but dumps is not needed so much.
If you make a list with UID|PWD|PACK|TOKENNAME and share it, that would be good to have.

DRRB · 2015-12-02 23:13:06

So, here it is :

UID|password|Pack|Name

CHARACTERS:

046050bcca704080|712810eb|aa55|batman
044436fee24a3f80|ee312e8d|aa55|homer
04159900da514280|e371c76f|aa55|wildstyle
04bd16271aa34880|920a0df9|aa55|marty
04bc42727a5c4980|3eda96fd|aa55|doctor
046a6e8832544281|04fc476d|aa55|chell
044bd4130a9a4081|219ee4cd|aa55|gandalf

VEHICLES:

04120f911a5c4985|a759dc0b|aa55|TARDIS
04c3da951a5c4980|de7a2f7b|aa55|K9
04ed00619a6d4084|97b7672e|aa55|HomerCar
0432ec52daa24081|a963d6ce|aa55|Batmobile
043c8e3e82b93f80|ddf1bf02|aa55|Taunt-o-Vision
04f6c8b2da984080|734a023c|aa55|Overboard
04a049655aa14080|c49d588f|aa55|SentryTurret
043d42f39a0c4080|1899cc50|aa55|CompanionCube
044965a062a34080|0615215a|aa55|Delorean

PWD is generated from UID ?

What about NDEF data ?
I have "en9575748S2315" for Gandalf, but sllabgib have "en9537910R1115". This is perhaps used for password generation, no ?

iceman · 2015-12-02 23:23:03

The assumption is that the pwd is generated from UID. If you sniff the communication between token and portal (good exercise) you'll see it never reads no blocks before authenticating.

As mentioned earlier in this thread, we would need to collect uid|pwd via simulation. Some specific cases of uid is needed to start figuring it out.

blofeld · 2015-12-03 00:21:34

Have managed to get sim working. it's kind of a long winded process at the moment.

04000000000001 0x5e7c00d5
04000000000002 0x10a73bd2
04000000000003 0x0c8aa982
04000000000004 0xc0c07919
04000000000010 0x94a6fc6d
04000000000100 0x486ca057
04a71f9a704080 0x80e8b93e
04a71f9b704080 0x4553430e
04a71f9a804080 0x04a993f1
ffffffffffffff 0x115847f0

any specific uid you want me to try ?

iceman · 2015-12-03 00:35:17

Great! Like you are doing, but 0-F, in a single colum, step for step is needed.

04000000000000
04000000000001
04000000000002
04000000000003
04000000000004
04000000000005
04000000000006
04000000000007
04000000000008
04000000000009
0400000000000A
0400000000000B
0400000000000C
0400000000000D
0400000000000E
0400000000000F
--
04000000000010
04000000000020
04000000000030
04000000000040
04000000000050
04000000000060
04000000000070
04000000000080
04000000000090
040000000000A0
040000000000B0
040000000000C0
040000000000D0
040000000000E0
040000000000F0

---
04000000000000
04111111111111
04222222222222
04333333333333
04444444444444

etc etc

blofeld · 2015-12-03 01:20:02

Might have to automate it first. But that is a job for tomorrow

iceman · 2015-12-03 09:20:34

Looking at the first pairs in your list and seeing such huge difference when changing one bit, makes me thinking that they are using a CRC- or HASH- algo on the uid. Or it may even be a crypto algo...

Assuming the portal has the pwd-gen-algo in its firmware (and not in game software), and transaction speed is quite normal I would lean on CRC or Hash.

Last edited by iceman (2015-12-03 09:30:45)

asper · 2015-12-03 12:21:07

Great sim ! Can you start with 00000000000000 and not 0400000000000 ? Thank you for your support !

Proxmark3 community

Announcement

#1 2015-10-02 12:27:06

[FINISHED] a popular toy Lego Dimensions

#2 2015-10-02 13:19:41

Re: [FINISHED] a popular toy Lego Dimensions

#3 2015-10-02 13:51:01

Re: [FINISHED] a popular toy Lego Dimensions

#4 2015-10-03 00:43:34

Re: [FINISHED] a popular toy Lego Dimensions

#5 2015-10-22 02:18:20

Re: [FINISHED] a popular toy Lego Dimensions

#6 2015-11-03 01:24:46

Re: [FINISHED] a popular toy Lego Dimensions

#7 2015-11-03 09:30:05

Re: [FINISHED] a popular toy Lego Dimensions

#8 2015-11-09 16:20:02

Re: [FINISHED] a popular toy Lego Dimensions

#9 2015-11-19 02:33:19

Re: [FINISHED] a popular toy Lego Dimensions

#10 2015-11-19 14:58:47

Re: [FINISHED] a popular toy Lego Dimensions

#11 2015-11-19 16:11:17

Re: [FINISHED] a popular toy Lego Dimensions

#12 2015-11-19 23:48:23

Re: [FINISHED] a popular toy Lego Dimensions

#13 2015-11-19 23:55:46

Re: [FINISHED] a popular toy Lego Dimensions

#14 2015-11-20 00:44:12

Re: [FINISHED] a popular toy Lego Dimensions

#15 2015-11-20 02:24:46

Re: [FINISHED] a popular toy Lego Dimensions

#16 2015-11-20 10:36:45

Re: [FINISHED] a popular toy Lego Dimensions

#17 2015-11-20 14:01:44

Re: [FINISHED] a popular toy Lego Dimensions

#18 2015-11-20 14:05:38

Re: [FINISHED] a popular toy Lego Dimensions

#19 2015-11-20 14:24:44

Re: [FINISHED] a popular toy Lego Dimensions

#20 2015-11-20 15:27:25

Re: [FINISHED] a popular toy Lego Dimensions

#21 2015-11-20 15:45:03

Re: [FINISHED] a popular toy Lego Dimensions

#22 2015-11-20 16:09:20

Re: [FINISHED] a popular toy Lego Dimensions

#23 2015-11-20 16:33:00

Re: [FINISHED] a popular toy Lego Dimensions

#24 2015-11-20 17:31:59

Re: [FINISHED] a popular toy Lego Dimensions

#25 2015-11-20 19:06:57

Re: [FINISHED] a popular toy Lego Dimensions

#26 2015-11-20 19:25:02

Re: [FINISHED] a popular toy Lego Dimensions

#27 2015-11-20 19:41:58

Re: [FINISHED] a popular toy Lego Dimensions

#28 2015-11-20 19:44:54

Re: [FINISHED] a popular toy Lego Dimensions

#29 2015-11-20 19:50:30

Re: [FINISHED] a popular toy Lego Dimensions

#30 2015-11-20 20:17:02

Re: [FINISHED] a popular toy Lego Dimensions

#31 2015-11-20 21:32:23

Re: [FINISHED] a popular toy Lego Dimensions

#32 2015-11-20 21:48:34

Re: [FINISHED] a popular toy Lego Dimensions

#33 2015-11-20 22:01:08

Re: [FINISHED] a popular toy Lego Dimensions

#34 2015-11-29 00:26:40

Re: [FINISHED] a popular toy Lego Dimensions

#35 2015-11-30 23:44:00

Re: [FINISHED] a popular toy Lego Dimensions

#36 2015-12-01 00:04:57

Re: [FINISHED] a popular toy Lego Dimensions

#37 2015-12-01 00:06:15

Re: [FINISHED] a popular toy Lego Dimensions

#38 2015-12-01 10:08:46

Re: [FINISHED] a popular toy Lego Dimensions

#39 2015-12-01 11:15:42

Re: [FINISHED] a popular toy Lego Dimensions